Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    15/03/2024, 13:24

General

  • Target

    33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe

  • Size

    775KB

  • MD5

    66ef4802ece3a0d62cab8be7d6065c8d

  • SHA1

    bf9bf0b3242ffb55726d8886480b23fc60b756c2

  • SHA256

    33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e

  • SHA512

    84f3122608910846ea3b9c23170a2dd371b7f14e63362f5082a8d1dde154911b68e75c05f947e594333d7bdad455e67e4b43cd79afbd4d8f6d6361a53ef6427c

  • SSDEEP

    24576:+Csl9+OXLpMePfI8TgmBTCDqEbOpPtpFa8xfq:Y+OXLpMePfzVTCD7gPtLaUfq

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\l0GqT_readme_.txt

Family

avaddon

Ransom Note
-------=== Your network has been infected! ===------- ***************** DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA HAVE BEEN RECOVERED ***************** All your documents, photos, databases and other important files have been encrypted and have the extension: .BcBcCDeDEC You are not able to decrypt it by yourself. But don't worry, we can help you to restore all your files! The only way to restore your files is to buy our special software. Only we can give you this software and only we can restore your files! We have also downloaded a lot of private data from your network. If you do not contact as in a 3 days we will post information about your breach on our public news website (avaddongun7rngel.onion) and after 7 days the whole downloaded info. You can get more information on our page, which is located in a Tor hidden network. How to get to our page -------------------------------------------------------------------------------- | | 1. Download Tor browser - https://www.torproject.org/ | | 2. Install Tor browser | | 3. Open link in Tor browser - avaddonbotrxmuyl.onion | | 4. Follow the instructions on this page | -------------------------------------------------------------------------------- Your ID: -------------------------------------------------------------------------------- MTcyOC0yN3RycE5hUFMyU25LNllyZkQwWDdrdXhYaThoR24wNlhDcjJTV0xqZ25yS3UwdmdtamV4VlR2UmUvRnlPejZwVlZiZDBUNDVYNE4xaHRZOFRDVWRmSkxML0M2OGE2T1JnSHc4WUtoZWZGREVqRllURXZGYTNXOWorMUdWZElHeU50LzRsbFRoSTQ2MjZ3RGJaaFhtbytzNnhxU1dLbnhaM0F4TXhKTnhQVXVRUkZmMlBFMTYvdzVtK01Ca1BxL05lV0hMUE5BZkxrTTJEbE5uNjBxcUhGeHZlVVJxdHRuRWJtSHM0RitHcTdsTTF6TGtOSmFhYmpUV1VRaXhIaVpUU015MVNFNkxsbGNwU0pSRm1kWENoZE93U1ZxTVY1MzRGVlFZNGNWdDM3YzF1b2Z6NVNNeWExL2EwK1dTb3RoRTdtb2JmVFZ5OVE5RjMyOXBWdTI5RDF5Ykc4bFlBQ0NaQWJSOUd5azVON0dEUG9SSjUwSXdxcENHQlUwMFVDWnMxbkZkSUkwQ04vMWlEbyswaTVsOEhvRTFaVG1tKzVGNVdKdGtIRXFQQ3FLbnI3OUx0Y1hPWlZObk95MzFHVVF1SjVmUXdGbDdEa2dCY043VzZvY254TzV6aWh2NEt0Sm41UjUvcEU5OUhvQzRuaDBSRjVwY1c0QlAvd0ZpS1gzSmVrMWcxaDRsaTJlSzFieC9EMjVrMFIrYnc3VTZ0M1VtM1pYV3ZaTjVNSmYvRGh5WDNMNW5ZRjFZYnJudTZoanVvd3IxaWlhT2hSZDBwcjcvTk5vY0tBVVNML0V6cVpkZm1NOEJrMjRSSVlydTAyTkU3WlBObEl5bjUxR2hpblB5SHdTUFo4K1YxMkQ2aWwxSmJMR25oeTFTUzhIQnlYbUYxenJFRzdsa1RlU2p3SnN5SUxTSFlGemZGQnh5Vnd4WmNWTkVTa0RyQjRIckd2TmJyZmE4NDl5alI5dnZrdVlWeUN1TnI4ZytDWUFDMkV4VkZSRER2M3lMV3VCTEJxajlwbE1jTWs1ZXdXa3p6RTl3SGpvK1AwdGs1T2J2TXJWb21RdHNGbmUrd0tndU00Y1hyNkRpRy95ZUk5aXllMTZ3dUo3R3UrWGo1TWh1OFVIZ3d4Ym04ZFZXSjh0aTBYL2Zsbm1XUUVxOUF5Y2ZxQnl2OGZlQjhHOG92YThLZ2hnNzdBR2d2Wk9MSzBxbW1QdDhCdklyZ2oyb3cxNWdEYUpwTVpxVHlKNXhqSVY4eHdMY3pXdmdBQ3RqSWpwVmJLeEp2M2Z2YXZQcXNVZ3I4eHRZQjBtN0ErMWRoODNJWEt3eFBYeThlUjN5bnYzUjErM21lbktZaXpCRU43NGFQMFpYR3VYcW1ydTE0clp5TnhRNi9jbm4yZzBUQ3dmMTF4T0MyY0QzNkJXZ25vc0VabDk3TUJPaDJzMnk5aWM4eXBsaFJrN0lSOVVQT0NMaVNFSWlyRGVhVWJVY3pJdkpQT3JHSVFDclY4T0t6cTdsUEc3QmF0d0RjRk9ycXFyd1Fua0Fya0ZrMXBtR0prVDNZOWRGL2poV09zdmFwUk4rdktVVE9FZ215emFsc3N0enJnNUYrWFZwdnVKTjQ1cGhCZTdBUVp1ZHpCak93Z0EzdlFZcXNKNnB6SGRHVktVVXBxME0zdU5DN1Vaek1EK0Z3NjlSSzJFa3BxQ3M1bENJZ0dYMzh5bFBwUjFYd3JQYmNTMHd3aVBhS3FsdU5rTGVPYnhkancwTXE1R25XUXdPL2x3VVVYelV5S1ZuMmhMcU16dXNHTzBTaVM2NE96Uy8vbllhNVN2YnpTL09jRnFVNnlpb2MvOEZTU2JGSVdkdkVRNDVaRlRiOG9BS3lvWEg3US9VK2Jvd3Z5K1BNSkg4cjJwWHNTUEpqS1QwQWt6c0h1THdXRVlSUEM3QW5wSHErRFM4NytMSndFYmFTbVVDWVFnaWdCRktvdW5BV2w1aEMwa3RvZ0dWeS9RYXNLQzhQSVpMWnNqRmk3akc3bU5iYmp5QVZFeG9pbGdLV0dZRVFsdFpLNHUrZzd6WjR2QXQ1anNLSnVnNEhnT3N0T0ZCTW96ejNQTUxLVVhwWWlMd0JCTEpBYnJDeUZoTktPUW03KzYwcEJ4Qzlsa3ZYSW1jWDRxc2VEVjlXdz09 -------------------------------------------------------------------------------- * DO NOT TRY TO RECOVER FILES YOURSELF! * DO NOT MODIFY ENCRYPTED FILES! * * * OTHERWISE, YOU MAY LOSE ALL YOUR FILES FOREVER! * * * 8csDonvSgbT
URLs

http://avaddongun7rngel.onion

http://avaddonbotrxmuyl.onion

Extracted

Path

C:\Users\Admin\Downloads\l0GqT_readme_.txt

Family

avaddon

Ransom Note
-------=== Your network has been infected! ===------- ***************** DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA HAVE BEEN RECOVERED ***************** All your documents, photos, databases and other important files have been encrypted and have the extension: .BcBcCDeDEC You are not able to decrypt it by yourself. But don't worry, we can help you to restore all your files! The only way to restore your files is to buy our special software. Only we can give you this software and only we can restore your files! We have also downloaded a lot of private data from your network. If you do not contact as in a 3 days we will post information about your breach on our public news website (avaddongun7rngel.onion) and after 7 days the whole downloaded info. You can get more information on our page, which is located in a Tor hidden network. How to get to our page -------------------------------------------------------------------------------- | | 1. Download Tor browser - https://www.torproject.org/ | | 2. Install Tor browser | | 3. Open link in Tor browser - avaddonbotrxmuyl.onion | | 4. Follow the instructions on this page | -------------------------------------------------------------------------------- Your ID: -------------------------------------------------------------------------------- MTcyOC0yN3RycE5hUFMyU25LNllyZkQwWDdrdXhYaThoR24wNlhDcjJTV0xqZ25yS3UwdmdtamV4VlR2UmUvRnlPejZwVlZiZDBUNDVYNE4xaHRZOFRDVWRmSkxML0M2OGE2T1JnSHc4WUtoZWZGREVqRllURXZGYTNXOWorMUdWZElHeU50LzRsbFRoSTQ2MjZ3RGJaaFhtbytzNnhxU1dLbnhaM0F4TXhKTnhQVXVRUkZmMlBFMTYvdzVtK01Ca1BxL05lV0hMUE5BZkxrTTJEbE5uNjBxcUhGeHZlVVJxdHRuRWJtSHM0RitHcTdsTTF6TGtOSmFhYmpUV1VRaXhIaVpUU015MVNFNkxsbGNwU0pSRm1kWENoZE93U1ZxTVY1MzRGVlFZNGNWdDM3YzF1b2Z6NVNNeWExL2EwK1dTb3RoRTdtb2JmVFZ5OVE5RjMyOXBWdTI5RDF5Ykc4bFlBQ0NaQWJSOUd5azVON0dEUG9SSjUwSXdxcENHQlUwMFVDWnMxbkZkSUkwQ04vMWlEbyswaTVsOEhvRTFaVG1tKzVGNVdKdGtIRXFQQ3FLbnI3OUx0Y1hPWlZObk95MzFHVVF1SjVmUXdGbDdEa2dCY043VzZvY254TzV6aWh2NEt0Sm41UjUvcEU5OUhvQzRuaDBSRjVwY1c0QlAvd0ZpS1gzSmVrMWcxaDRsaTJlSzFieC9EMjVrMFIrYnc3VTZ0M1VtM1pYV3ZaTjVNSmYvRGh5WDNMNW5ZRjFZYnJudTZoanVvd3IxaWlhT2hSZDBwcjcvTk5vY0tBVVNML0V6cVpkZm1NOEJrMjRSSVlydTAyTkU3WlBObEl5bjUxR2hpblB5SHdTUFo4K1YxMkQ2aWwxSmJMR25oeTFTUzhIQnlYbUYxenJFRzdsa1RlU2p3SnN5SUxTSFlGemZGQnh5Vnd4WmNWTkVTa0RyQjRIckd2TmJyZmE4NDl5alI5dnZrdVlWeUN1TnI4ZytDWUFDMkV4VkZSRER2M3lMV3VCTEJxajlwbE1jTWs1ZXdXa3p6RTl3SGpvK1AwdGs1T2J2TXJWb21RdHNGbmUrd0tndU00Y1hyNkRpRy95ZUk5aXllMTZ3dUo3R3UrWGo1TWh1OFVIZ3d4Ym04ZFZXSjh0aTBYL2Zsbm1XUUVxOUF5Y2ZxQnl2OGZlQjhHOG92YThLZ2hnNzdBR2d2Wk9MSzBxbW1QdDhCdklyZ2oyb3cxNWdEYUpwTVpxVHlKNXhqSVY4eHdMY3pXdmdBQ3RqSWpwVmJLeEp2M2Z2YXZQcXNVZ3I4eHRZQjBtN0ErMWRoODNJWEt3eFBYeThlUjN5bnYzUjErM21lbktZaXpCRU43NGFQMFpYR3VYcW1ydTE0clp5TnhRNi9jbm4yZzBUQ3dmMTF4T0MyY0QzNkJXZ25vc0VabDk3TUJPaDJzMnk5aWM4eXBsaFJrN0lSOVVQT0NMaVNFSWlyRGVhVWJVY3pJdkpQT3JHSVFDclY4T0t6cTdsUEc3QmF0d0RjRk9ycXFyd1Fua0Fya0ZrMXBtR0prVDNZOWRGL2poV09zdmFwUk4rdktVVE9FZ215emFsc3N0enJnNUYrWFZwdnVKTjQ1cGhCZTdBUVp1ZHpCak93Z0EzdlFZcXNKNnB6SGRHVktVVXBxME0zdU5DN1Vaek1EK0Z3NjlSSzJFa3BxQ3M1bENJZ0dYMzh5bFBwUjFYd3JQYmNTMHd3aVBhS3FsdU5rTGVPYnhkancwTXE1R25XUXdPL2x3VVVYelV5S1ZuMmhMcU16dXNHTzBTaVM2NE96Uy8vbllhNVN2YnpTL09jRnFVNnlpb2MvOEZTU2JGSVdkdkVRNDVaRlRiOG9BS3lvWEg3US9VK2Jvd3Z5K1BNSkg4cjJwWHNTUEpqS1QwQWt6c0h1THdXRVlSUEM3QW5wSHErRFM4NytMSndFYmFTbVVDWVFnaWdCRktvdW5BV2w1aEMwa3RvZ0dWeS9RYXNLQzhQSVpMWnNqRmk3akc3bU5iYmp5QVZFeG9pbGdLV0dZRVFsdFpLNHUrZzd6WjR2QXQ1anNLSnVnNEhnT3N0T0ZCTW96ejNQTUxLVVhwWWlMd0JCTEpBYnJDeUZoTktPUW03KzYwcEJ4Qzlsa3ZYSW1jWDRxc2VEVjlXdz09 -------------------------------------------------------------------------------- * DO NOT TRY TO RECOVER FILES YOURSELF! * DO NOT MODIFY ENCRYPTED FILES! * * * OTHERWISE, YOU MAY LOSE ALL YOUR FILES FOREVER! * * * yEz480iG2DBKp6
URLs

http://avaddongun7rngel.onion

http://avaddonbotrxmuyl.onion

Signatures

  • Avaddon

    Ransomware-as-a-service first released in June 2020 and currently expanding its userbase among criminal actors.

  • Avaddon payload 1 IoCs
  • Process spawned unexpected child process 3 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs 2 IoCs
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Renames multiple (204) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Executes dropped EXE 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Drops desktop.ini file(s) 1 IoCs
  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Interacts with shadow copies 2 TTPs 3 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs
  • System policy modification 1 TTPs 3 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe
    "C:\Users\Admin\AppData\Local\Temp\33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe"
    1⤵
    • UAC bypass
    • Checks whether UAC is enabled
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:1876
    • C:\Windows\SysWOW64\Wbem\wmic.exe
      wmic SHADOWCOPY DELETE /nointeractive
      2⤵
        PID:2364
      • C:\Windows\SysWOW64\vssadmin.exe
        vssadmin Delete Shadows /All /Quiet
        2⤵
        • Interacts with shadow copies
        PID:1020
      • C:\Windows\SysWOW64\Wbem\wmic.exe
        wmic SHADOWCOPY DELETE /nointeractive
        2⤵
          PID:1408
        • C:\Windows\SysWOW64\vssadmin.exe
          vssadmin Delete Shadows /All /Quiet
          2⤵
          • Interacts with shadow copies
          PID:1456
        • C:\Windows\SysWOW64\Wbem\wmic.exe
          wmic SHADOWCOPY DELETE /nointeractive
          2⤵
            PID:2796
          • C:\Windows\SysWOW64\vssadmin.exe
            vssadmin Delete Shadows /All /Quiet
            2⤵
            • Interacts with shadow copies
            PID:1992
        • C:\Windows\system32\wbem\wmic.exe
          wmic SHADOWCOPY DELETE /nointeractive
          1⤵
          • Process spawned unexpected child process
          • Suspicious use of AdjustPrivilegeToken
          PID:2376
        • C:\Windows\system32\wbem\wmic.exe
          wmic SHADOWCOPY DELETE /nointeractive
          1⤵
          • Process spawned unexpected child process
          • Suspicious use of AdjustPrivilegeToken
          PID:2524
        • C:\Windows\system32\wbem\wmic.exe
          wmic SHADOWCOPY DELETE /nointeractive
          1⤵
          • Process spawned unexpected child process
          • Suspicious use of AdjustPrivilegeToken
          PID:2556
        • C:\Windows\system32\vssvc.exe
          C:\Windows\system32\vssvc.exe
          1⤵
            PID:1356
          • C:\Windows\system32\taskeng.exe
            taskeng.exe {9EC3AC4E-BAB1-4FFB-BDE3-4F9A68D81BEB} S-1-5-21-2297530677-1229052932-2803917579-1000:HKULBIBU\Admin:Interactive:[1]
            1⤵
            • Suspicious use of WriteProcessMemory
            PID:1456
            • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe
              C:\Users\Admin\AppData\Roaming\Microsoft\Windows\33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe
              2⤵
              • Executes dropped EXE
              PID:1448

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe

            Filesize

            775KB

            MD5

            66ef4802ece3a0d62cab8be7d6065c8d

            SHA1

            bf9bf0b3242ffb55726d8886480b23fc60b756c2

            SHA256

            33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e

            SHA512

            84f3122608910846ea3b9c23170a2dd371b7f14e63362f5082a8d1dde154911b68e75c05f947e594333d7bdad455e67e4b43cd79afbd4d8f6d6361a53ef6427c

          • C:\Users\Admin\Desktop\l0GqT_readme_.txt

            Filesize

            3KB

            MD5

            2250d14138abc188771890a81cf536cd

            SHA1

            295d29fa7489b4a3f536339fefd73eafc91d2fe2

            SHA256

            69a1acc4211c5a74cede07a6a89169bd3bd1617fee5fadebd643ab98e1ab2db1

            SHA512

            8140e4beafe7c0149b080c4cdf7354329c02d52991852dbd3a182b041b0225dcc29619eac68d0eba2bf977b1e4c2ee99fa44dbf953e40a8a2244201c37559f31

          • C:\Users\Admin\Downloads\l0GqT_readme_.txt

            Filesize

            3KB

            MD5

            4715ea2453c07e61851a5d2038b41584

            SHA1

            6451b6166634b4a7e4bc2b5cebb4d760081674fd

            SHA256

            597ead2e955df992731d8a3763bde793c5b7f5dd9acd473458c93ef53ac8bb50

            SHA512

            e849e16da9b72f9061b9604e322fe506c1000bfdbe679e9f3d5fa67558659d835c6d6d8d8f766a1283530c6cc7b444a9cb57a58e06029e8fa23761a34d7d4fa3